Google Gemini Media
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: google-gemini-media Version: 1.0.1 The skill provides instructions and code examples for interacting with the Google Gemini API for multimodal media tasks. All file system operations (e.g., `fs.readFileSync`, `fs.writeFileSync`) and network calls (`curl`, `@google/genai` SDK) are directly aligned with the stated purpose of processing and generating media. The use of `GEMINI_API_KEY` from environment variables is for legitimate API authentication, and there is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts against the OpenClaw agent. The content is clearly instructional and lacks any high-risk behaviors beyond what is necessary for its stated functionality.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill requires a Gemini API key that may incur quota or billing usage under the user's account.
The skill requires authenticated access to the user's Gemini account/API quota. This is expected for the stated integration, but the registry metadata lists no primary credential or required env vars.
Put your API key in `GEMINI_API_KEY`; REST requests use `x-goog-api-key: $GEMINI_API_KEY`
Set the key only in the intended environment, avoid hardcoding it in prompts or files, and use a key scoped and monitored for Gemini API usage.
Images, audio, or video provided to these workflows may be transmitted to Google services for processing.
The skill explicitly supports uploading media to Google's Files API and reusing file URIs for large files or multi-turn workflows.
Files API (upload then reference)... `files.upload(...)` ... Use `file_data` / `file_uri` in `generateContent`
Upload only media you intend to process with Gemini, review applicable Google data handling policies, and delete or limit reuse of uploaded files where appropriate.
Installing the SDK pulls code from the npm ecosystem into the user's project.
The skill suggests installing an external npm package without a pinned version. This is a normal setup step for the Gemini SDK, but users should verify package provenance.
Install SDK (example): ```bash npm install @google/genai ```
Install the official @google/genai package from a trusted registry, consider pinning a version, and follow normal dependency review practices.